```html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Linux文件系统安全加固指南</title>
    <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/6.4.0/css/all.min.css">
    <link rel="stylesheet" href="https://cdn.staticfile.org/tailwindcss/2.2.19/tailwind.min.css">
    <link href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@400;500;600;700&family=Noto+Sans+SC:wght@300;400;500;700&display=swap" rel="stylesheet">
    <script src="https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.min.js"></script>
    <style>
        body {
            font-family: 'Noto Sans SC', Tahoma, Arial, Roboto, "Droid Sans", "Helvetica Neue", "Droid Sans Fallback", "Heiti SC", "Hiragino Sans GB", Simsun, sans-serif;
            color: #333;
            line-height: 1.8;
        }
        h1, h2, h3, h4 {
            font-family: 'Noto Serif SC', serif;
            font-weight: 600;
            margin-top: 2rem;
        }
        h1 {
            font-size: 2.5rem;
            color: #1a365d;
            border-bottom: 2px solid #e2e8f0;
            padding-bottom: 0.5rem;
        }
        h2 {
            font-size: 1.8rem;
            color: #2c5282;
            border-left: 4px solid #4299e1;
            padding-left: 1rem;
        }
        .hero {
            background: linear-gradient(135deg, #1e3a8a 0%, #1e40af 100%);
            color: white;
            border-radius: 0.5rem;
        }
        .card {
            transition: all 0.3s ease;
            border-radius: 0.5rem;
            box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
        }
        .card:hover {
            transform: translateY(-5px);
            box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05);
        }
        .code-block {
            background-color: #2d3748;
            color: #f7fafc;
            border-radius: 0.375rem;
            overflow-x: auto;
        }
        .badge {
            display: inline-flex;
            align-items: center;
            padding: 0.25rem 0.75rem;
            border-radius: 9999px;
            font-size: 0.75rem;
            font-weight: 600;
        }
        a {
            color: #3182ce;
            transition: color 0.2s;
        }
        a:hover {
            color: #1e40af;
            text-decoration: underline;
        }
        footer a:hover {
            color: #a0aec0;
        }
        .mermaid {
            background-color: white;
            padding: 1.5rem;
            border-radius: 0.5rem;
            box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
        }
    </style>
</head>
<body class="bg-gray-50">
    <div class="container mx-auto px-4 py-8 max-w-5xl">
        <!-- Hero Section -->
        <section class="hero p-8 mb-12">
            <div class="flex flex-col md:flex-row items-center">
                <div class="md:w-2/3">
                    <h1 class="text-4xl md:text-5xl font-bold mb-4 text-white">Linux文件系统安全加固指南</h1>
                    <p class="text-xl text-blue-100 mb-6">全面保护您的系统数据，抵御未授权访问和防止数据丢失</p>
                    <div class="flex items-center space-x-2">
                        <span class="badge bg-blue-200 text-blue-800"><i class="fas fa-shield-alt mr-1"></i> 数据保护</span>
                        <span class="badge bg-green-200 text-green-800"><i class="fas fa-lock mr-1"></i> 访问控制</span>
                        <span class="badge bg-purple-200 text-purple-800"><i class="fas fa-search mr-1"></i> 安全审计</span>
                    </div>
                </div>
                <div class="hidden md:block md:w-1/3 text-center">
                    <i class="fas fa-server text-8xl text-blue-300 opacity-80"></i>
                </div>
            </div>
        </section>

        <!-- Introduction -->
        <section class="mb-12">
            <div class="bg-white p-6 rounded-lg shadow-md">
                <p class="text-lg text-gray-700 leading-relaxed">
                    在Linux中实现文件系统的安全性加固是确保系统数据保护、抵御未授权访问和防止数据丢失的重要措施。本指南将详细介绍从基本权限设置到高级安全机制的全方位加固策略，帮助您构建一个安全的Linux文件系统环境。
                </p>
            </div>
        </section>

        <!-- Security Methods Visualization -->
        <section class="mb-12">
            <h2 class="text-2xl font-bold mb-6">安全加固方法概览</h2>
            <div class="mermaid">
                graph TD
                    A[Linux文件系统安全加固] --> B[加密措施]
                    A --> C[权限管理]
                    A --> D[访问控制]
                    A --> E[数据保护]
                    A --> F[审计监控]
                    A --> G[系统维护]
                    
                    B --> B1[全盘加密]
                    B --> B2[文件级加密]
                    
                    C --> C1[chmod/chown]
                    C --> C2[ACL]
                    
                    D --> D1[SELinux]
                    D --> D2[AppArmor]
                    
                    E --> E1[挂载选项]
                    E --> E2[数据备份]
                    
                    F --> F1[auditd]
                    F --> F2[日志轮转]
                    
                    G --> G1[安全更新]
                    G --> G2[最小化安装]
            </div>
        </section>

        <!-- Content Sections -->
        <section class="mb-12">
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-key text-blue-500 mr-3"></i> 1. 使用加密
                </h2>
                
                <div class="grid md:grid-cols-2 gap-6">
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-hdd mr-2"></i> 全盘加密 (FDE)
                        </h3>
                        <p class="text-gray-700 mb-4">使用LUKS (Linux Unified Key Setup) 或 dm-crypt 进行全盘加密，确保磁盘上的所有数据在系统启动前都被加密。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 创建加密分区</span><br>
                                cryptsetup luksFormat /dev/sdX<br>
                                <span class="text-green-400"># 打开加密分区</span><br>
                                cryptsetup luksOpen /dev/sdX cryptdisk
                            </code>
                        </div>
                        <div class="text-sm text-gray-500 flex items-center">
                            <i class="fas fa-info-circle mr-1"></i> 建议在系统安装时配置全盘加密
                        </div>
                    </div>
                    
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-folder-open mr-2"></i> 文件级加密
                        </h3>
                        <p class="text-gray-700 mb-4">对特定敏感文件或目录进行加密，使用工具如 ecryptfs 进行目录级加密。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 设置私有加密目录</span><br>
                                ecryptfs-setup-private
                            </code>
                        </div>
                        <div class="text-sm text-gray-500 flex items-center">
                            <i class="fas fa-info-circle mr-1"></i> 适合保护用户主目录中的敏感文件
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-shield-alt text-blue-500 mr-3"></i> 2. 配置文件权限
                </h2>
                
                <div class="grid md:grid-cols-2 gap-6">
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-user-lock mr-2"></i> chmod 和 chown
                        </h3>
                        <p class="text-gray-700 mb-4">确保文件和目录的权限仅限于需要的用户和组，遵循最小权限原则。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 设置文件权限</span><br>
                                chmod 600 /path/to/file<br>
                                <span class="text-green-400"># 设置目录权限</span><br>
                                chmod 700 /path/to/dir<br>
                                <span class="text-green-400"># 更改所有者</span><br>
                                chown user:group /path/to/file
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-exclamation-triangle mr-1"></i> 避免使用宽松权限 (如777)，这会带来严重安全风险
                        </div>
                    </div>
                    
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-list-alt mr-2"></i> 访问控制列表 (ACL)
                        </h3>
                        <p class="text-gray-700 mb-4">提供比传统Unix权限更细粒度的控制，允许为特定用户或组设置权限。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 为用户设置读写权限</span><br>
                                setfacl -m u:user:rw /path/to/file<br>
                                <span class="text-green-400"># 查看ACL权限</span><br>
                                getfacl /path/to/file
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> 需要文件系统支持ACL功能
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-user-shield text-blue-500 mr-3"></i> 3. 实施访问控制
                </h2>
                
                <div class="grid md:grid-cols-2 gap-6">
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-seedling mr-2"></i> SELinux
                        </h3>
                        <p class="text-gray-700 mb-4">安全增强Linux (SELinux) 提供强制访问控制(MAC)，限制进程和用户对文件系统资源的访问。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 检查SELinux状态</span><br>
                                sestatus<br>
                                <span class="text-green-400"># 临时更改模式</span><br>
                                setenforce 1 <span class="text-gray-500"># enforcing</span><br>
                                setenforce 0 <span class="text-gray-500"># permissive</span>
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> 常见于RHEL/CentOS/Fedora等发行版
                        </div>
                    </div>
                    
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-user-secret mr-2"></i> AppArmor
                        </h3>
                        <p class="text-gray-700 mb-4">另一种MAC实现，通过配置文件限制应用程序的权限，比SELinux更易用。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 检查AppArmor状态</span><br>
                                aa-status<br>
                                <span class="text-green-400"># 加载配置文件</span><br>
                                apparmor_parser -r /etc/apparmor.d/profile.name
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> 常见于Debian/Ubuntu等发行版
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-database text-blue-500 mr-3"></i> 4. 保护敏感数据
                </h2>
                
                <div class="grid md:grid-cols-2 gap-6">
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-hard-drive mr-2"></i> 挂载选项
                        </h3>
                        <p class="text-gray-700 mb-4">在/etc/fstab中配置安全的挂载选项，限制文件系统功能。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 安全挂载选项示例</span><br>
                                /dev/sdX /mount/point ext4 defaults,noexec,nosuid,nodev 0 0
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> noexec: 防止执行文件 | nosuid: 防止设置用户ID | nodev: 防止设备文件
                        </div>
                    </div>
                    
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-save mr-2"></i> 数据备份
                        </h3>
                        <p class="text-gray-700 mb-4">定期备份重要数据，使用加密备份解决方案确保数据安全。</p>
                        <div class="flex flex-wrap gap-2 mb-4">
                            <span class="badge bg-blue-100 text-blue-800"><i class="fas fa-clock mr-1"></i> 定期</span>
                            <span class="badge bg-green-100 text-green-800"><i class="fas fa-key mr-1"></i> 加密</span>
                            <span class="badge bg-purple-100 text-purple-800"><i class="fas fa-cloud mr-1"></i> 离站</span>
                            <span class="badge bg-yellow-100 text-yellow-800"><i class="fas fa-check mr-1"></i> 验证</span>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> 实施3-2-1备份策略：3份备份，2种介质，1份异地
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-search text-blue-500 mr-3"></i> 5. 实施审计和监控
                </h2>
                
                <div class="grid md:grid-cols-2 gap-6">
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-clipboard-list mr-2"></i> auditd
                        </h3>
                        <p class="text-gray-700 mb-4">记录文件访问和修改事件，监控重要文件和目录的活动。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># 监控文件访问</span><br>
                                auditctl -w /path/to/important/file -p rwxa<br>
                                <span class="text-green-400"># 查看审计日志</span><br>
                                ausearch -f /path/to/important/file
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> -p参数: r(读) w(写) x(执行) a(属性变更)
                        </div>
                    </div>
                    
                    <div class="card bg-white p-6">
                        <h3 class="text-xl font-semibold mb-3 text-blue-700 flex items-center">
                            <i class="fas fa-file-archive mr-2"></i> 日志轮转
                        </h3>
                        <p class="text-gray-700 mb-4">使用logrotate管理日志文件，防止日志过大和被篡改。</p>
                        <div class="code-block p-4 mb-4">
                            <code class="block">
                                <span class="text-green-400"># /etc/logrotate.d/secure示例</span><br>
                                /var/log/secure {<br>
                                &nbsp;&nbsp;monthly<br>
                                &nbsp;&nbsp;rotate 12<br>
                                &nbsp;&nbsp;compress<br>
                                &nbsp;&nbsp;delaycompress<br>
                                &nbsp;&nbsp;missingok<br>
                                &nbsp;&nbsp;notifempty<br>
                                }
                            </code>
                        </div>
                        <div class="text-sm text-gray-500">
                            <i class="fas fa-info-circle mr-1"></i> 定期检查日志文件完整性
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-sync-alt text-blue-500 mr-3"></i> 6. 应用安全更新
                </h2>
                
                <div class="card bg-white p-6">
                    <div class="flex flex-col md:flex-row">
                        <div class="md:w-1/2 pr-4">
                            <h3 class="text-xl font-semibold mb-3 text-blue-700">系统更新</h3>
                            <p class="text-gray-700 mb-4">定期安装安全更新和补丁，修复已知漏洞。</p>
                            <div class="code-block p-4 mb-4">
                                <code class="block">
                                    <span class="text-green-400"># Debian/Ubuntu</span><br>
                                    apt-get update && apt-get upgrade<br>
                                    <span class="text-green-400"># RHEL/CentOS</span><br>
                                    yum update
                                </code>
                            </div>
                        </div>
                        <div class="md:w-1/2 pl-4">
                            <h3 class="text-xl font-semibold mb-3 text-blue-700">最小化安装</h3>
                            <p class="text-gray-700 mb-4">只安装必要的包和应用程序，减少攻击面。</p>
                            <div class="flex items-center text-yellow-600 mb-2">
                                <i class="fas fa-exclamation-triangle mr-2"></i>
                                <span>禁用不必要的服务：</span>
                            </div>
                            <div class="code-block p-4">
                                <code class="block">
                                    systemctl disable &lt;service&gt;
                                </code>
                            </div>
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-4 flex items-center">
                    <i class="fas fa-shield-virus text-blue-500 mr-3"></i> 7. 定期安全扫描
                </h2>
                
                <div class="card bg-white p-6">
                    <h3 class="text-xl font-semibold mb-3 text-blue-700">使用安全工具扫描系统</h3>
                    <p class="text-gray-700 mb-4">定期使用安全扫描工具发现潜在的安全问题。</p>
                    
                    <div class="grid md:grid-cols-2 gap-4">
                        <div class="bg-gray-100 p-4 rounded-lg">
                            <h4 class="font-semibold text-gray-800 mb-2 flex items-center">
                                <i class="fas fa-dragon mr-2 text-red-500"></i> Lynis
                            </h4>
                            <p class="text-gray-700 text-sm mb-2">开源安全审计工具，检查系统加固和合规性。</p>
                            <div class="code-block p-3 text-sm">
                                <code>lynis audit system</code>
                            </div>
                        </div>
                        
                        <div class="bg-gray-100 p-4 rounded-lg">
                            <h4 class="font-semibold text-gray-800 mb-2 flex items-center">
                                <i class="fas fa-spider mr-2 text-purple-500"></i> OpenVAS
                            </h4>
                            <p class="text-gray-700 text-sm mb-2">全面的漏洞扫描工具，检测已知漏洞。</p>
                            <div class="code-block p-3 text-sm">
                                <code>openvas-setup</code>
                            </div>
                        </div>
                    </div>
                </div>
            </article>
            
            <article class="mb-12">
                <h2 class="text-2xl font-bold mb-6">安全加固最佳实践总结</h2>
                
                <div class="bg-blue-50 border-l-4 border-blue-500 p-6 rounded-r-lg mb-6">
                    <div class="flex">
                        <div class="flex-shrink-0">
                            <i class="fas fa-lightbulb text-yellow-500 text-2xl"></i>
                        </div>
                        <div class="ml-3">
                            <p class="text-blue-800 font-medium">遵循最小权限原则</p>
                            <p class="text-blue-700">只授予必要的权限，定期审查权限设置</p>
                        </div>
                    </div>
                </div>
                
                <div class="grid md:grid-cols-3 gap-6">
                    <div class="bg-white p-6 rounded-lg shadow-sm border-t-4 border-green-500">
                        <h3 class="font-semibold text-lg mb-2 text-gray-800">加密</h3>
                        <ul class="text-gray-700 space-y-2">
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>全盘加密保护静态数据</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>敏感目录使用文件级加密</span>
                            </li>
                        </ul>
                    </div>
                    
                    <div class="bg-white p-6 rounded-lg shadow-sm border-t-4 border-blue-500">
                        <h3 class="font-semibold text-lg mb-2 text-gray-800">访问控制</h3>
                        <ul class="text-gray-700 space-y-2">
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-blue-500 mt-1 mr-2"></i>
                                <span>正确设置文件权限</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-blue-500 mt-1 mr-2"></i>
                                <span>使用SELinux/AppArmor</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-blue-500 mt-1 mr-2"></i>
                                <span>安全的挂载选项</span>
                            </li>
                        </ul>
                    </div>
                    
                    <div class="bg-white p-6 rounded-lg shadow-sm border-t-4 border-purple-500">
                        <h3 class="font-semibold text-lg mb-2 text-gray-800">监控维护</h3>
                        <ul class="text-gray-700 space-y-2">
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-purple-500 mt-1 mr-2"></i>
                                <span>实施审计日志记录</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-purple-500 mt-1 mr-2"></i>
                                <span>定期安全扫描</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-purple-500 mt-1 mr-2"></i>
                                <span>及时应用安全更新</span>
                            </li>
                        </ul>
                    </div>
                </div>
            </article>
        </section>
    </div>

    <!-- Footer -->
    <footer class="bg-gray-900 text-gray-300 py-8">
        <div class="container mx-auto px-4 max-w-5xl">
            <div class="flex flex-col md:flex-row justify-between items-center">
                <div class="mb-4 md:mb-0">
                    <h3 class="text-xl font-semibold text-white mb-2">技术小馆</h3>
                    <p class="text-sm">专业的Linux系统安全知识分享</p>
                </div>
                <div>
                    <a href="http://www.yuque.com/jtostring" class="hover:text-white transition-colors duration-200 flex items-center">
                        <i class="fas fa-external-link-alt mr-2"></i> www.yuque.com/jtostring
                    </a>
                </div>
            </div>
            <div class="border-t border-gray-700 mt-6 pt-6 text-center text-sm">
                <p>© 2023 技术小馆. 版权所有.</p>
            </div>
        </div>
    </footer>

    <script>
        mermaid.initialize({
            startOnLoad: true,
            theme: 'default',
            flowchart: {
                useMaxWidth: true,
                htmlLabels: true,
                curve: 'basis'
            }
        });
    </script>
</body>
</html>
```